2e80059a92e23f07ece25cd25f4e855cb01c8623a5ca9d8d63756c2273368563

max time kernel
132s
max time network
155s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08/10/2022, 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fucker script.exe
Size

104KB
MD5

db0655efbe0dbdef1df06207f5cb5b5b
SHA1

a8d48d5c0042ce359178d018c0873e8a7c2f27e8
SHA256

52972a23ab12b95cd51d71741db2cf276749e56030c092e2e4f0907dcb1fbd56
SHA512

5adc8463c3e148a66f8afdeefc31f2b3ffeb12b7641584d1d24306b0898da60a8b9b948bb4f9b7d693185f2daa9bd9437b3b84cebc0eabfa84dfcef6938e1704
SSDEEP

1536:m5iT3FccnYWkyjWpOku3yUyJCbyVAvy7+fRo:3LOcxkyjW3wvHq

Score

8^/10

collection persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE
Key queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LinksExplorer\Docked = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup\footer = "&u&b&d"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{83F191C1-4761-11ED-9AAE-C6457FCBF3CF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\AddToFavoritesInitialSelection = "C:\\Users\\Admin\\Favorites"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100000001500000001000000000700005e010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000002000000010000000083ffff0083ffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372036948"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LinksExplorer\Width = "290"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff4b00000000000000d104000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LinksExplorer\Docked = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LinksExplorer\Docked = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MINIE	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LinksExplorer\LinksType = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup\header = "&w&bPage &p of &P"	IEXPLORE.EXE

Modifies registry class 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000300000005000000020000000100000004000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000300000005000000020000000100000004000000ffffffff	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	explorer.exe

Suspicious behavior: AddClipboardFormatListener 56 IoCs

pid	Process
628	OUTLOOK.EXE
2424	vlc.exe
2980	vlc.exe
2260	vlc.exe
2992	vlc.exe
3204	vlc.exe
3268	vlc.exe
3500	vlc.exe
3536	vlc.exe
3656	vlc.exe
4048	vlc.exe
3840	vlc.exe
3844	vlc.exe
4148	vlc.exe
4368	vlc.exe
4408	vlc.exe
4424	vlc.exe
4720	vlc.exe
4948	vlc.exe
4852	vlc.exe
4000	vlc.exe
5448	vlc.exe
5580	vlc.exe
6124	vlc.exe
5292	vlc.exe
5436	vlc.exe
2316	vlc.exe
6828	vlc.exe
6956	vlc.exe
7096	vlc.exe
6256	vlc.exe
6464	vlc.exe
6320	vlc.exe
6940	vlc.exe
2056	vlc.exe
7236	vlc.exe
7336	vlc.exe
7396	vlc.exe
7524	vlc.exe
7648	vlc.exe
7700	vlc.exe
7868	vlc.exe
1484	vlc.exe
8400	vlc.exe
8484	vlc.exe
8664	vlc.exe
8940	vlc.exe
8208	vlc.exe
8264	vlc.exe
2684	vlc.exe
4508	vlc.exe
2968	vlc.exe
8308	vlc.exe
8224	vlc.exe
3640	vlc.exe
9016	vlc.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1828	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 57 IoCs

pid	Process
2424	vlc.exe
2980	vlc.exe
2260	vlc.exe
2992	vlc.exe
3204	vlc.exe
3268	vlc.exe
2000	iexplore.exe
3500	vlc.exe
3536	vlc.exe
3656	vlc.exe
4048	vlc.exe
3844	vlc.exe
3840	vlc.exe
4148	vlc.exe
4368	vlc.exe
4408	vlc.exe
4424	vlc.exe
4720	vlc.exe
4948	vlc.exe
4852	vlc.exe
4000	vlc.exe
5448	vlc.exe
5580	vlc.exe
6124	vlc.exe
5292	vlc.exe
2316	vlc.exe
5436	vlc.exe
6828	vlc.exe
6956	vlc.exe
7096	vlc.exe
6256	vlc.exe
6464	vlc.exe
6320	vlc.exe
6940	vlc.exe
2056	vlc.exe
7236	vlc.exe
7336	vlc.exe
7396	vlc.exe
7524	vlc.exe
7648	vlc.exe
7700	vlc.exe
7868	vlc.exe
1484	vlc.exe
8400	vlc.exe
8484	vlc.exe
8664	vlc.exe
8940	vlc.exe
8208	vlc.exe
8264	vlc.exe
2684	vlc.exe
4508	vlc.exe
2968	vlc.exe
8308	vlc.exe
8224	vlc.exe
3640	vlc.exe
9016	vlc.exe
1928	explorer.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: 33	5984	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5984	AUDIODG.EXE
Token: 33	5984	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5984	AUDIODG.EXE
Token: SeTakeOwnershipPrivilege	8612	helppane.exe
Token: SeTakeOwnershipPrivilege	8612	helppane.exe
Token: SeTakeOwnershipPrivilege	8612	helppane.exe
Token: SeTakeOwnershipPrivilege	8612	helppane.exe
Token: SeShutdownPrivilege	1928	explorer.exe
Token: SeShutdownPrivilege	1928	explorer.exe
Token: SeShutdownPrivilege	1928	explorer.exe
Token: SeShutdownPrivilege	1928	explorer.exe
Token: SeShutdownPrivilege	1928	explorer.exe
Token: SeShutdownPrivilege	1928	explorer.exe
Token: SeShutdownPrivilege	1928	explorer.exe
Token: SeShutdownPrivilege	1928	explorer.exe
Token: SeShutdownPrivilege	1928	explorer.exe
Token: SeShutdownPrivilege	1928	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
2424	vlc.exe
2000	iexplore.exe
896	iexplore.exe
2424	vlc.exe
1524	iexplore.exe
2424	vlc.exe
2000	iexplore.exe
2980	vlc.exe
2260	vlc.exe
2980	vlc.exe
2260	vlc.exe
2992	vlc.exe
2992	vlc.exe
3204	vlc.exe
3204	vlc.exe
3268	vlc.exe
3268	vlc.exe
3500	vlc.exe
3500	vlc.exe
3536	vlc.exe
2260	vlc.exe
3536	vlc.exe
2980	vlc.exe
3656	vlc.exe
3656	vlc.exe
2992	vlc.exe
4048	vlc.exe
4048	vlc.exe
3204	vlc.exe
2000	iexplore.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
2424	vlc.exe
2424	vlc.exe
2980	vlc.exe
2260	vlc.exe
2980	vlc.exe
2260	vlc.exe
2992	vlc.exe
2992	vlc.exe
3204	vlc.exe
3204	vlc.exe
3268	vlc.exe
3268	vlc.exe
3500	vlc.exe
3500	vlc.exe
3536	vlc.exe
3536	vlc.exe
3656	vlc.exe
3656	vlc.exe
4048	vlc.exe
4048	vlc.exe
3844	vlc.exe
3844	vlc.exe
3840	vlc.exe
3840	vlc.exe
4148	vlc.exe
4148	vlc.exe
4368	vlc.exe
4408	vlc.exe
4368	vlc.exe
4408	vlc.exe
4424	vlc.exe
4424	vlc.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
896	iexplore.exe
896	iexplore.exe
2000	iexplore.exe
2000	iexplore.exe
1524	iexplore.exe
1524	iexplore.exe
628	OUTLOOK.EXE
628	OUTLOOK.EXE
628	OUTLOOK.EXE
628	OUTLOOK.EXE
2424	vlc.exe
992	IEXPLORE.EXE
992	IEXPLORE.EXE
1260	IEXPLORE.EXE
1260	IEXPLORE.EXE
2268	IEXPLORE.EXE
2268	IEXPLORE.EXE
2000	iexplore.exe
2000	iexplore.exe
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE
2980	vlc.exe
2260	vlc.exe
2992	vlc.exe
3204	vlc.exe
3268	vlc.exe
3500	vlc.exe
3536	vlc.exe
3656	vlc.exe
2000	iexplore.exe
2000	iexplore.exe
4048	vlc.exe
3884	IEXPLORE.EXE
3884	IEXPLORE.EXE
2000	iexplore.exe
2000	iexplore.exe
992	IEXPLORE.EXE
992	IEXPLORE.EXE
2000	iexplore.exe
2000	iexplore.exe
3840	vlc.exe
3844	vlc.exe
3864	IEXPLORE.EXE
3864	IEXPLORE.EXE
2000	iexplore.exe
2000	iexplore.exe
4148	vlc.exe
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE
896	iexplore.exe
896	iexplore.exe
4292	IEXPLORE.EXE
4292	IEXPLORE.EXE
896	iexplore.exe
896	iexplore.exe
4368	vlc.exe
4424	vlc.exe
4408	vlc.exe
2000	iexplore.exe
2000	iexplore.exe
4720	vlc.exe
4532	IEXPLORE.EXE
4532	IEXPLORE.EXE
3884	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 1616	768	chrome.exe	34
PID 768 wrote to memory of 1616	768	chrome.exe	34
PID 768 wrote to memory of 1616	768	chrome.exe	34
PID 1688 wrote to memory of 1144	1688	wmplayer.exe	36
PID 1688 wrote to memory of 1144	1688	wmplayer.exe	36
PID 1688 wrote to memory of 1144	1688	wmplayer.exe	36
PID 1688 wrote to memory of 1144	1688	wmplayer.exe	36
PID 1688 wrote to memory of 1144	1688	wmplayer.exe	36
PID 1688 wrote to memory of 1144	1688	wmplayer.exe	36
PID 1688 wrote to memory of 1144	1688	wmplayer.exe	36
PID 896 wrote to memory of 1260	896	iexplore.exe	37
PID 896 wrote to memory of 1260	896	iexplore.exe	37
PID 896 wrote to memory of 1260	896	iexplore.exe	37
PID 896 wrote to memory of 1260	896	iexplore.exe	37
PID 2000 wrote to memory of 992	2000	iexplore.exe	38
PID 2000 wrote to memory of 992	2000	iexplore.exe	38
PID 2000 wrote to memory of 992	2000	iexplore.exe	38
PID 2000 wrote to memory of 992	2000	iexplore.exe	38
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1352	768	chrome.exe	42
PID 768 wrote to memory of 1828	768	chrome.exe	43
PID 768 wrote to memory of 1828	768	chrome.exe	43
PID 768 wrote to memory of 1828	768	chrome.exe	43
PID 768 wrote to memory of 1068	768	chrome.exe	44
PID 768 wrote to memory of 1068	768	chrome.exe	44

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE

C:\Users\Admin\AppData\Local\Temp\fucker script.exe
"C:\Users\Admin\AppData\Local\Temp\fucker script.exe"
1⤵
PID:2012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:896
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:896 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1260
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:896 CREDAT:406532 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4292
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:896 CREDAT:209934 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4532
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:896 CREDAT:406550 /prefetch:2
  2⤵
  PID:4040

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:992
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:275459 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2652
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:1061892 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3884
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:1586183 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3864
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:3748877 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:4936
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1860
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:1192982 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:5264
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:3486741 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:5604
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:16659474 /prefetch:2
  2⤵
  PID:6548
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:3093525 /prefetch:2
  2⤵
  PID:7932
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:3355669 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:7948
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:2372657 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:8752

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6684f50,0x7fef6684f60,0x7fef6684f70
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1044,2549978627502159739,6105336110399950813,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1056 /prefetch:2
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1044,2549978627502159739,6105336110399950813,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1404 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1044,2549978627502159739,6105336110399950813,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1704 /prefetch:8
  2⤵
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,2549978627502159739,6105336110399950813,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2036 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,2549978627502159739,6105336110399950813,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2056 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1044,2549978627502159739,6105336110399950813,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3284 /prefetch:2
  2⤵
  PID:3436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1044,2549978627502159739,6105336110399950813,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1176 /prefetch:8
  2⤵
  PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1044,2549978627502159739,6105336110399950813,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2468 /prefetch:8
  2⤵
  PID:7844

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:1144

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:836

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
- Accesses Microsoft Outlook profiles
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- outlook_win_path
PID:628

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1524
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1524 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2268

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:924

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2424

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2608

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:2776

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2908

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2980

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2260

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:2408

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2612

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2992

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:2952

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3132

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3168

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3192

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3204

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3232

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3252

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3268

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3332

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3500

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3536

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3624

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3656

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3736

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3748

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3792

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3848

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3932

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3948

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3968

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3984

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4000

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4048

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2940

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3348

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:780

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3840

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3844

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3816

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3728

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3820

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3772

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4148

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"
1⤵
PID:4252

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4348

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4368

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4408

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4424

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:4660

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:4708

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4720

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
PID:4856
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:4872

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4928

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:4948

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:4984

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5052

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5100

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3772

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4232

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:4376

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4332

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4480

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4728

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:4672

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:4852

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:4856

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5012

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:4000

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3792

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3668

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5448

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5456

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5500

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5528

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5556

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5580

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:5640

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5816

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:5828

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:5864

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5884

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:5892

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:6124

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:5208

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:5256

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:5272

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5292

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5308

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:304

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:2316

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5436

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5796

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:5808

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x674
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5984

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5776

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:5608

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:892

C:\Windows\System32\msdt.exe
"C:\Windows\System32\msdt.exe" -skip TRUE -path C:\Windows\diagnostics\system\networking -ep NetworkDiagnosticsPNI
1⤵
PID:5980

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5236

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
PID:5284
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\no7lf-gr.cmdline"
  2⤵
  PID:6396
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96C5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC96B5.tmp"
    3⤵
    PID:6416

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:6220

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6240

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:6300

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6344

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:6480

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6488

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:6828

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6880

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6932

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:6956

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:7096

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:6168

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6248

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:6192

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6296

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6380

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:6256

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:6464

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:6320

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:6940

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:6272

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:2056

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:892

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:6260

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:7172

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:7184

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:7196

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:7236

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:7252

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:7300

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:7336

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:7344

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:7396

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:7476

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:7524

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:7648

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:7700

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:7852

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:7860

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:7868

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:7896

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:8116

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:8132

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:8152

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:8168

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:8112

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:8184

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:8152

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:7808

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:7644

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:1484

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:8052

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:7848

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:7916

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:8296

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:8324

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:8340

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:8360

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:8400

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:8460

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:8484

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:8568

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:8612

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:8664

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:8940

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Users\Admin\Downloads\RestartInitialize.ppt"
1⤵
PID:8252

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Users\Admin\Downloads\ResolveRemove.ods"
1⤵
PID:8224

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Users\Admin\Downloads\RepairPublish.ADTS"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:8208

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Users\Admin\Downloads\ShowDismount.docm"
1⤵
PID:6116

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Users\Admin\Downloads\SplitSuspend.wma"
1⤵
PID:8248

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Users\Admin\Downloads\StopJoin.ini"
1⤵
PID:8236

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Users\Admin\Downloads\SubmitWait.ico"
1⤵
PID:8292

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Users\Admin\Downloads\SuspendConvertTo.exe"
1⤵
PID:8304

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Users\Admin\Downloads\TestUnprotect.vdx"
1⤵
PID:8352

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Users\Admin\Downloads\SyncUpdate.aif"
1⤵
PID:8332

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Users\Admin\Downloads\UnlockDeny.contact"
1⤵
PID:8368

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Users\Admin\Downloads\UnprotectSave.WTV"
1⤵
PID:2484

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Users\Admin\Downloads\LockEnter.pub"
1⤵
PID:8412

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Users\Admin\Downloads\PingConvertTo.ico"
1⤵
PID:8576

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Users\Admin\Downloads\RemovePublish.clr"
1⤵
PID:8272

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Users\Admin\Downloads\RenameConvert.xls"
1⤵
PID:2684

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Users\Admin\Downloads\RenameRestart.MTS"
1⤵
PID:8620

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Users\Admin\Downloads\RenameGroup.midi"
1⤵
PID:2828

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:9180

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:9140

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6116

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:8248

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:8228

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:8264

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:8412

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:8576

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:2684

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3924

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:8936

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:9068

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:8376

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:8428

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:4508

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:8748

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:8500

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:9204

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:2968

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:2720

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:9052

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3260

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:8412

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:8308

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:4640

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3004

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:8740

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:8224

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:4924

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:3640

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:9016

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4216

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
b349d7622ce4a1324fc4d036755eedd3

SHA1
1ee13f09bf4e60337be6c384b0fefb7ecf753f92

SHA256
e0c1a8060f6cc4befab39ba0bd49ca9ef2038e3f875605d0ad05f1bbaac503d9

SHA512
51fa522fd7616edd98ef3d64ab1c6eb4a3c105f575100499b292ccf9b74f96156e4cebbad8f98ca04aef76bccc0303e182b572facf7d32cf73c703433c8fa034

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f40da5f12f869f0fd92e32f3008915b1

SHA1
7d99881282137ae2e4f8e28e1f1315efd28dbcb4

SHA256
46a6c725f6fb60e8cda6958a5d6dc17d7a5b45fb587c74dbf2164a4b139e6807

SHA512
4c1bcbebf5fa0e8fd075e5cac2ffa2cca66af40ae92599b127ecca5bdab0929de3c9efed0c519262967b2670d2aed85203ff2bedcb94b9ed2aced577cde5ebeb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ba9020d605b2bf7bd7ecc4a0914fe7a

SHA1
7e330074a48c92ef3cc8d13e5e1378b4661f7043

SHA256
0e2e651b9390828a8df530ea3f2f0b7ae88281a17d9531856304f72f4c4011a8

SHA512
0176295ec3639193ae8516ffecea265f2dfd08ac91674588e569963632a65efd42ed29a3b539070026e05c12f387792a9a82fe96ddeb1190500dcd0e86febb86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e67a7b3ba9a03fed3d9e3683b29f4b58

SHA1
58b65383d85dd6170507d40d68ada28090adc848

SHA256
8e3769bbac8aed9eab9f291f14762504d6d7214804d290530426ef07ee918e48

SHA512
f8262933c238be6db8085d9f17851e782b296a2b290373dffd21a881f6ef7f46fe3ed4c02cd6693408d3175e7da561307b0165d506ec66838a768007ba4ad3b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7be4dac8d89af4d5f5bf25330dfc0809

SHA1
bb3c3e3792c48755f042a10b07222cc096afa49c

SHA256
7f82e8cfb8f0ab7f8b3920da5602e492b4779dd69ace3d47bdcdfd93c801024c

SHA512
49693b0f5f9cd2deccc2ccd2c2f1744b8e5bc62c9023ec519e494078567f1074df6660f9482344b0ea03d860710dd945518447f65b92fba0b2dea2eb01cbe948

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37a4931c0dc8e3d0097c5bc90146347f

SHA1
d9005c15fc1d5347c235c96ceaebf9d28ae64de9

SHA256
fe8b28c7a547139bb15894d086dd9f70fa54ee267c60074a73992bf36ab68630

SHA512
3fc143c5de0b3598ace88d4bc30eeac3f6f38f4ff10d0f40d6571c225be323ba7a209d2d68fa34e6cd88f662d32b26d686c638ccf6df27f57afdbbc165ce3d6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b4f8d70509468b781abcdfc9ba696b98

SHA1
af7ccc001d163c7f1cd6fd61fc08095ac4af7169

SHA256
6d364327d6c8e9c2fb5bbf2c1c7f0e3bc39eacd9b1f5face2e5b977b6f498eff

SHA512
38a61dc17cc5c3d03ac1402ccf0105408d6730b938f049c146f0f7147ddd4668f0d236a6deb5c91ff8e2b8d4e7edc918329ed70478d58067be6117d261f0d008

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd0b0fcca42d6a08bf075ba7ddd5bce3

SHA1
e23f6a20f5fc1703b9feeaa394ba21475dbb97b7

SHA256
639d4ce58395c0b432e03a467cc7a32f1aed5ce8352010a5764a588b8815ef0d

SHA512
6f6d64e02621d19b2fb9e6227d4a1d7201ffe71a30e5ef0a9e0943d57dee0c5c8377662b100cfade2234e311d6b5989407afb21eaabe207f8c076d5a3b381c85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b7a9f0c5443a5b45200e589a7dfaa41

SHA1
4989436b26409d9b45e14bcff86d7a88f89fd6fa

SHA256
ed48704027ae86fc7812b5c0113b716df88980ee293f4d3bafdb44ac8565caf6

SHA512
199973b5d0d82d3fae4cfe45413ff4fd36b9ff3c23dcc7f18e23d1d271d308baf97f0b232325d09112a4a3c1dcefbf114f329a8f434b329544314fcab8d07a70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bac6c78f0806e381395cc568aa7acb73

SHA1
2cca043e350dec1e87fb84b971addaf458e64e4b

SHA256
b2f6e5b4ded3702eac8a7c0a65a3759c3d0d49ddfd73e78bf371862af450a2c0

SHA512
d70fe7c0d1d51c8c32bda033c4a6d0236559d10397f5645bda723b22d967b7035688ce7cc544f51f36b8391eede1517727bccf9c23a1807c59c5fa2067a63156

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e433563271c1ff524f61e4a5d487d0f

SHA1
de53b442be069ba8a6e652d8b0697bf676e02b5d

SHA256
31eb342fcbec67c0902dc995510cbc2b012ce882457c999dff80d4c5dcd02b1c

SHA512
7f23984eff2940973dd79c6dd54750e819b3f9869070dc76bdf513aeb1c6131c61e1ae7a18396f89c5ff7483d5ec557d1fcf807550b2b6fe080381520df40b01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fc7f4729bea110e574ed15dc2917b93

SHA1
65f7c4310a6e11019bce84280b85c18b36adc4c3

SHA256
26c82e9d7875fce1182c9050ae61de66cf8905b85a94bedbfcd5d966d0102be8

SHA512
33ac03460f1370fd898828acfc9a393f5f12927c0ddc836baeabf3f70411b73084be9d83639eb1b7844d748973ed3b75acce82af686d48d7152e3c76603e80c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e3fec73f23ce119826b470874ecf427

SHA1
93b01b0237f3a183193c8d8c05c1e703b1718326

SHA256
1c6cf062a0380a8927a28c9519af6da71e4313fa3a556184830c4412a51bfdec

SHA512
007105e3cd9f360d53b90b996a70b42165ff095ee8d84ca5b552ec8474bdec5790da7b0ce7274529a18d0e8f7de4356855d2559dcb293788569980ab8a3a42ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f33f233bdeaf5cb3c28dba272e05b58

SHA1
26bc79b06519ba2944ca4e2fc845fb33b2a13e7e

SHA256
64674234955fd2f8c32402fd2401503c0c91fb76132e2db003ff518f82584760

SHA512
1292b6b5c4dff221c923e4d7ee9c1360af959718aa38f84f0f698461bfe970988fb9eef83a70e22fecef1c0dd0569bb92fd53ccf8e318074f02b29c74df3dd0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
88927b6f42e57d8f8ff358a9310af55d

SHA1
5611cb21fc94e18beb3d21b4def62102d43e0968

SHA256
dfac308ffe8426ea03375f9186d3fb90b77e5d6b0995838efb7461b26a3afc0b

SHA512
524f9aaa8d316e1a2b8ae2c67c3f88e36dc23f30d8ca238120a325941636b1d4941379e940de7a945d34b1aea1402e5272fc3ae7a53375c48364f4727c42269a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6331ce72ce382d35fa4d4fb1e36926b8

SHA1
721c04ba7e03b57fe1a77ec5540c046ba9df744e

SHA256
7a54aa35b588bfc17b6832aa8a712b103a2b78d2f08c16c65f2875855b2acf4d

SHA512
30b0306624159123b9151a5cf08d95817383941f0d44c8cc95722b1e0a08c2e5093eb3ad8209d9eadde0bddc61b95c377b85812341d40668e361fd797039d1a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{83EA65D1-4761-11ED-9AAE-C6457FCBF3CF}.dat

Filesize
5KB

MD5
f31dd7ddbe89ea163f18754c521c07d3

SHA1
e425dfbdc6d3204096eeeba9015fd212b46823ca

SHA256
8eb756aac1a680b991aec0f95c517a399604fe68b52a864aac176b0fb3233e35

SHA512
b4635202caa14d8c18d680e14547bfb4fcc00c2ad8a6ac8867414f821aa4c5a4a43fa18e577cdbf63f0c24b3bd5e3787874acf267d734615d455142a25190e3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{83F191C1-4761-11ED-9AAE-C6457FCBF3CF}.dat

Filesize
3KB

MD5
9c02dad841063588b6cc653fd33f529a

SHA1
a06c60eabd7f2eb7ced2cf8e1de51d3fba69e091

SHA256
8f6942b2211ce5dbb0232be7875123fd2ed93bb4904f579d90d28d3c584b154d

SHA512
a6811f631c262d12a8eac8e60d3b1d158dcd32828ed44ddbc20591e88b05058464256893d69d80333848793cf658bcd5770fbfbd4f8e9802469aab9259eb8f1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{83F191C1-4761-11ED-9AAE-C6457FCBF3CF}.dat

Filesize
5KB

MD5
d8f8cd742305c54d8be8cf594b50f175

SHA1
53f080f580ee5fd61607f1865be12f46b56d2e87

SHA256
d24fd84776678098fcf870d61d6eb88cd6e87891aced578824c3c80df58cd0c0

SHA512
1f44efc5619a3b61cad748cbce4947e287e944eb8c5e7f30e49435bd17a61c052e4ef930b94da862ba382114d53bb3b41f8febcf2bd097a761e4e6927603a422

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES96C5.tmp

Filesize
1KB

MD5
c1dc114fb7c2bcd60e6110001171518e

SHA1
4f58cb1dd55a7bbf60da755b8ce4eda9db350caf

SHA256
1624062ee9f58bfba4acf167696b73159153c3ec13a9bf6815b5b5a4ea64d5ed

SHA512
793263c3d13d7a479a994317f68dbe781ed72059b5015c9c30ce9edb46fc76d5b0099788b6ea3a469eaef95d42469b51dfcd853c6883e661cc8b706e9ffdb96a

Download Submit
C:\Users\Admin\AppData\Local\Temp\no7lf-gr.dll

Filesize
3KB

MD5
4b4e25911122c81180bd55660f6c7dc2

SHA1
40839b3dc39003833229ae2ddafdb1df4df85961

SHA256
d5c2ed6790a9c7dab9537b61fc08909cd5a00575e3ce0ebcb44cf13230d0f9cd

SHA512
cb083f6fac8eb04b4943a48fef69ce50aa4fa8ab292200b52865b265960a67d56ea26a6378e7a63d8dbaeb94f5e6422ec142f51f70d9d510c539a5217bfdeb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\no7lf-gr.pdb

Filesize
11KB

MD5
1dcf90c3e9f3b0f2f2982170bbc4fe4c

SHA1
e51123e41eb457701e70e3fc6a7ed2a242df7c4b

SHA256
1fc6b46f8b6a728d59fb7c7fdf6bec80f98a47780274328ad5bfe5000ef3b6c7

SHA512
404a7259cc82b24d23924708ad673659f43c903d9fb8e2174a8723727376844c5cc3a867d557f562c3197215c1454e9fa94995e1c598b47fe7987a1fcffdeb89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VTFJH3GU.txt

Filesize
608B

MD5
b0ab2a6600c3e23f7256bfe52c33eea5

SHA1
ce0695ddb43f4ebae8746e12c445ae166ad47eef

SHA256
1f94479eac3140d70a6c2befa6cdb44a5d8c52427033c152036cc232e30759f2

SHA512
ca5541b9aadf4270c218b11bd5f724c806c6ff6624e8a7a1cc57b234d021ff511a07afdd99954da1df325f935f2cd508df15011524eac24aeb4b3ce0bdfb0a19

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
81B

MD5
3303971f9d5ce81de91d6403cc634f3f

SHA1
9009fafdaa2bb96cc3d9e2074c27f41e3ea5f35b

SHA256
62a403ab42694cb7fd4f4690843c32994c5b8ff996c14b4ffb532dd99342c9b8

SHA512
a9dea14df57e8eff856261de4b6810ad0a69f0be5662ece5c04464972f85b7d4b58c9799d71474614ba1a4265955ed93a8471dbc2be9d360fc720a8560ea0622

Download Submit
C:\Windows\TEMP\SDIAG_e61716bf-0ad6-4cfd-ac3b-f2294931ab42\NetworkDiagnosticsTroubleshoot.ps1

Filesize
23KB

MD5
1d192ce36953dbb7dc7ee0d04c57ad8d

SHA1
7008e759cb47bf74a4ea4cd911de158ef00ace84

SHA256
935a231924ae5d4a017b0c99d4a5f3904ef280cea4b3f727d365283e26e8a756

SHA512
e864ac74e9425a6c7f1be2bbc87df9423408e16429cb61fa1de8875356226293aa07558b2fafdd5d0597254474204f5ba181f4e96c2bc754f1f414748f80a129

Download Submit
C:\Windows\TEMP\SDIAG_e61716bf-0ad6-4cfd-ac3b-f2294931ab42\UtilityFunctions.ps1

Filesize
52KB

MD5
2f7c3db0c268cf1cf506fe6e8aecb8a0

SHA1
fb35af6b329d60b0ec92e24230eafc8e12b0a9f9

SHA256
886a625f71e0c35e5722423ed3aa0f5bff8d120356578ab81a64de2ab73d47f3

SHA512
322f2b1404a59ee86c492b58d56b8a6ed6ebc9b844a8c38b7bb0b0675234a3d5cfc9f1d08c38c218070e60ce949aa5322de7a2f87f952e8e653d0ca34ff0de45

Download Submit
C:\Windows\TEMP\SDIAG_e61716bf-0ad6-4cfd-ac3b-f2294931ab42\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_e61716bf-0ad6-4cfd-ac3b-f2294931ab42\en-US\LocalizationData.psd1

Filesize
5KB

MD5
dc9be0fdf9a4e01693cfb7d8a0d49054

SHA1
74730fd9c9bd4537fd9a353fe4eafce9fcc105e6

SHA256
944186cd57d6adc23a9c28fc271ed92dd56efd6f3bb7c9826f7208ea1a1db440

SHA512
92ad96fa6b221882a481b36ff2b7114539eb65be46ee9e3139e45b72da80aac49174155483cba6254b10fff31f0119f07cbc529b1b69c45234c7bb61766aad66

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC96B5.tmp

Filesize
652B

MD5
84962f1752136c26e31df2b7f9a5b9d1

SHA1
13a2cb78deffd03ebad35ef0910781a0b025ee6c

SHA256
cdadaba63d1fb678399d70b448ad2bb6e5b1d779fd5fb9d82afd441972df8f7c

SHA512
e303890ae41003a5584f57b5fb1771b4ab69c86d4780e9d0bb9ac5b8e953c98e99b80cdc3d6a98c234ee3805c878188e341c62d7afe202f1cc4bc20e1271084a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\no7lf-gr.0.cs

Filesize
1007B

MD5
bac2724be827ee042ff2b312050aa844

SHA1
ca34fd2feb835c8746ad1bec6de9a24cc1368595

SHA256
6901eb7b1a34580f7ae741d2a0d09bfa0e85e0b2cbd945d961291e6f4a02bd33

SHA512
3e7b6d91ed41007b471c93015c7c8900c7141766d7a83b394fabceac93f91cb4b37ed06abc3371f96b314355aa4facf9e0214d7dfcb7faa0018db02ad0a970aa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\no7lf-gr.cmdline

Filesize
309B

MD5
427630e0f5fe277d55733d3b7ab5e2e0

SHA1
71eb30994aee9cef7fd03a8ec0d1bf17bbd247a6

SHA256
8e0e7ef3b545227cd25def6d50de4da6c17d4f85f6fcdcc37ecd7bfa8e04bcc7

SHA512
d03c4ff768f2f821a1c9544980e4613983f27b73ac14b3e6c0b4acb77852b0c9c130a92ba35cccd670bc6108fe408674f8b15afe6ae7bc32231e346548eff87e

Download Submit
memory/628-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/628-113-0x000000007356D000-0x0000000073578000-memory.dmp

Filesize
44KB

Download
memory/628-65-0x0000000069FB1000-0x0000000069FB4000-memory.dmp

Filesize
12KB

Download
memory/628-60-0x0000000072581000-0x0000000072583000-memory.dmp

Filesize
8KB

Download
memory/628-63-0x000000007356D000-0x0000000073578000-memory.dmp

Filesize
44KB

Download
memory/1512-54-0x000007FEFBF21000-0x000007FEFBF23000-memory.dmp

Filesize
8KB

Download
memory/1688-55-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download